Hello guys,
I’m literally going crazy here over this.
So I’m developing a web app in PHP to let users sign in with twitter. I’m stuck at step 1 of the documentation, basically when I send a GET request to oauth/request_token without oauth_callback I get a successful answer:
https://api.twitter.com/oauth/request_token?oauth_consumer_key=yZO1dddsFCQ6kFmwoiseQw&oauth_nonce=1356909970&oauth_signature=3MQ3ux1xwhh7q8p5%2Bww13dE6NCEo%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356909970&oauth_version=1.0
but when I add the callback url the authentication fails:
https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%2Ftest%2F&oauth_consumer_key=yZO1cBtdFddsrDDwoiseQw&oauth_nonce=1356910050&oauth_signature=ylpqpXhxmV1WBwyqpmS8itMh1m8%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356910050&oauth_version=1.0.
I’m using the querystring method. The url looks good to me (it reflects the same encoding of the documentation). Both the urls twitter.com and mine go through the same process to create the signature so I would exclude that since without my URL it works!
Could it be a wrong URL encoding in the query request?
Also the time on my server is correct and I added the callback URL in the app settings even though I read it doesn’t have to be the same.
By the way it also succeeds if I put “oob” or anything without “:” or “/” in oauth_callback.
Another thing, in the documentation I read about oauth_callback:
For OAuth 1.0a compliance this parameter is required. The value you specify here will be used as the URL a user is redirected to should they approve your application's access to their account. Set this to oob for out-of-band pin mode. This is also how you specify custom callbacks for use in desktop/mobile applications.
Always send an oauth_callback on this step, regardless of a pre-registered callback.
So if it’s required how come my requests are successful without it?
